Security Brief and Terms II

Session 15YSU

Weapons of Mass Destruction

Risk – Attacker’s View

• Risk Aversion– A measure of what an attacker is willing to

lose.– What was the risk aversion (low or high)?

• Timothy McVeigh• John Hinkley• Scott Peterson• Martha Stewart• Robert Blake• 9-11 Hijackers

Risks to The System?

• Important to know your attacker and their level of risk aversion

• Know the tools available. . .– Public Health Department

• Irrational disgruntled client• Disgruntled• Religious fundamentalist bioterrorist aiming

to eliminate public health system

Types of Attackers

• Opportunistic – Rather risk averse– Speeders– Kids in a candy store– Lady with lottery ticket

• Professional – Less risk averse/calculated– Brinks job

Types of Attackers

• Emotional– Attacks are statement attacks– Often make no sense to others– 1993 World Trade Center– Embassy bombings– Susan Smith– Richard Reid

Groups of Concern - Emotional

• Religious– Hezbollah, IRA, Al Qaida,

• Political– FLNC, Red Brigade

• Issue– Earth First, ACT UP,

Homicide Bombers

• What is Israel’s response to homicide bombers?

“I’m Sorry Attacks”

• I have pulled this one at LAX when I realized that my favorite multipurpose tool was still attached to my belt.

• I also pulled this at LAX years before trying to bring home fruit on the plane.

• Plausible deniability

• Weapons to Nicaragua.

Changing the Rules

• New form of hijacking – White House Memo

• Hijacking – Northwest U.S.• MIT Students – Las Vegas• NORAD – Cobalt Devices• 9-11 Attackers

Security System Issues

• In General – Complexity = Vulnerability

• In General – Standardization = Vulnerable– Home alarms– Computer firewalls– Combination locks– Car alarms– Airport security– Class Breaks

Security Structure - School

• Camera in Parking Lot

• Sign on Door

• Buzzer and Camera

• I.D. and Verification

• Accompanying Party

Security Structure

• Single-Layer Defense Technique– Store manager with deposit

• Sequential – No Link– Mote, Wall, Hot Oil

• Sequential – Linked– Motion detector, phone line,

monitoring system, dispatch

Security In-Depth

• Assures that if one system fails a second can pick up the slack. (how many?)– Bank– House– Airport– Courtroom– Mall

Weakest Link Consideration

• Harry Potter– 3-headed dog– Snare plant– Locked door – flying keys– Chess game– Troll– Logic patterns– Magic mirror– All Difficult

Brittle Layers Fail Badly

• Concrete Bunker

• Computer Systems

• Door on HVAC

• Nuclear Plant

Dynamic Systems Can Adapt

• Static security works great for copycats– When there is only one way to attack– Before submarines

• Dynamic – Human immune system– 1 type of potato– Human observation is flexible

• Flight 93 before and after phone calls

Flexibility of People

• December 14, 1999– Ahmed Resam– Diana Dean said he was hinky– This flexible system worked but. . – It was a form of profiling (not for Arabs)

Secrets

• Security relying on secrets is brittle– Codes for nuclear missile vs.– Secret door

What About Profiling?

• Everyone does it daily.• Not always malicious.• The way you dress, tone of voice, the way you

“carry yourself”, the car you drive, the language you use, your occupation and certainly your race and ethnicity.

Does Profiling Work Well?

• Depends on three factors– The accuracy of the intuition

• All Italians love pasta.• All Arabs are Muslims.

– How effective it is when it is institutionalized• If you are on 224 on a Saturday night, you might

be up to something – DUI.

– How commonplace the characteristics are• Men wearing earrings for example 50’s vs. 00’s

Profiling

• Often fails – real attackers are few and far between.

• True attackers may dye their hair, trim beard etc.

• If all attackers are of a single race or ethnicity, it may make sense– El Al Airlines heavily profile Arab men.– But what about Richard Reid?

Three Last Terms

• Identification – Who are you?– “Please insert ATM card”– Ticket and photo I.D.

• Authentication – Prove it.– “Type in your code”– Answer question or biometric scanners

• Authorization – You are allowed to do this.– Withdraw, deposit, get balance, pay loan– Enter the terminal

Summing Up Security

• There is much more to learn

• Monitor, detect, notify and respond

• In general– Flexible systems– Resilient in the face of attack– With security in depth